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(54) System guaranteeing integrity of 
a gambling system 

(57) Data and associated validation in- 
formation stored in a nonsecure loca- 
tion are verified as to integrity by 
cryptograph techniques. Verification 
activates a gambling system to operate 
in a gambler-responsive mode, and 
non-verification activates an alarm 
mode. The system is used in postal 
metering, electronic mail, electronic 
funds transfer and other source data 



processing systems. The validation in- 
formation is formed by deriving a first 
value from the data according to a first 
relationship, and then deriving the vali- 
dation information from the first value 
by means of a nonpublic derivation 
having an inverse function. The valida- 
tion word is then associated with the 
data and stored in the nonsecure por- 
tion. Verification is accomplished by 
deriving 430 a first value from the data 

(57) continued overleaf.. 
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by the first relationship, and deriving 
450 a second value from the validation 
information by nrjeans of the inverse 
function. The first and second values 
are operatively related 450 to determine 
system integrity. All relationships are 
oneway functions, in a preferred embo- 
diment, in a preferred embodiment, the 
first and inverse second relationships' 
are public and the second relationship 
is secret. 
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SPECIFICATION 



A system and method for guaranteeing the integrity of a gambling system 

5 This invention relates to secure systems, such as gambling apparatus, and more particularty taa system for 5 
9uar9nteeing the integrity of information content in the secure system, such as the control program of 
gambling apparatus. 

It is often the case in electronic gambling systems that a microprocessor electronics based gambling 
system can be customized for different types of play by changing a memory device (such as an EPROM) or 

10 by changing the memory device contents (such as by remotely downloading data into a read-write memory 
(RAM or EPROM), However, it is currently the practice of some state gambling commissions, such as New 
Jersey, U.S.A. to require a seal be applied to ail circuitry on each circuit board (including the EPROM or RAM) 
as part'of the certification process. Thus, inventories must be maintained of the sealed boards for each of a 
plurality of machines, both in manufacturing output and maintaining a repair stock pile. This approach is 

15 both costly and inefficient, inasmuch as many machines have a common nucleus and utilize the same circuit ^5 
board with a different control memory program for each of a plurality of games being selected by 
interchanging a memory device or its contents. 

Although this approach is costly and cumbersome, there has heretofore been no alternative technique 
provided to perform the important function of guaranteeing the integrity of the gambling machines. 

20 In accordance with one aspect of the present invention, a system is provided wherein data and associated 20 
validation information stored in a nonsecure location are verified as to integrity by cryptographic techniques. 
Good integrity verification activates the system to operate in a first mode, and bad integrity verification 
activates the system to operate in a second mode. In a preferred embodiment, the system is a gambling 
system, with a first mode corresponding to user responsive operation and the second mode corresponding 

25 to an alarm mode. Other systems where the present invention would be useful include postal metering, 25 
electronic mail, electronic funds transfer and other secure data processing systems. 

In accordance with another aspect of the present invention, the system has an interface port for 
communicating with an external device, such as a central control computer. Data and associated validation 
information are loaded into memory in the nonsecure location, and the system verifies the integrity of the 

30 data and associated validation information as stored in the memory by cryptographic techniques operatively 30 
relating the data to the associated validation word. The system is activated to either a first or second 
operative mode responsive to a verification result of good or bad integrity, respectively. 

For example, a central computer could download information to one or a plurality of remotely located 
systems which would each verify the integrity of the information received and stored in its respective 

35 memory. Where the remotely located systems are gambling systems, the downloaded information can be 35 
odds, control programs, random number seeds, etc. 

In accordance with one of the illustrated embodiments of the present invention, a gambling apparatus is 
disclosed having a secure portion which is certified and sealed by the Gaming Commission, and having a 
nonsecure portion, not sealed by the Gaming Commission, the integrity of which is verified by the secure 

40 portion. The secure portion of the gambling apparatus comprises a circuit board having a central processor 40 
and a first memory. The nonsecure portion of the gambling apparatus is comprised of a second portion of 
the circuit board, or an independent circuit board, having a second memory such as a nonsecure ROM, 
EPROM, or read-write memory (RAM). Utilizing cryptographic techniques, the integrity of the nonsecure 
portion of the system is verified by the secure portion of the system. 

45 The gambling system is operable in three modes, and powers up in a test mode for verifying the integrity 45 
of the gambling system. Where a positive verification is made that the nonsecure memory (e.g. ROM) has 
satisfactory integrity, the system is activated to an operable mode responsive to player user control inputs. 
Alternatively, where the results of the test mode is a negative verification showing the nonsecure memory 
does not have good integrity, and gambling system is forced to an inoperable mode nonresponsive to player 

50 user control inputs, and an alarm is activated. 50 
The nonsecure portion of the circuit board, the integrity of which is cryptographically detectable, has a first 
nonvolatile memory (such as a ROM, PROM, EPROM or EEPROM nonvolatile memory or a read-write [RAM] 
volatile memory) having a validation word stored therein, the validation word being derived from the first 
memory contents according to a first relationship. The validation word is formed by deriving a first value 

55 from the first memory's contents. The validation word is then derived from the first value by means of a 55 
nonpublic derivation having an inverse function. The validation word is then combined to form a part of the 
contents of the first memory. 

The secure portion of the circuit board has a processor and a second nonvolatile memory mounted 
thereon. The integrity of the secure portion is overt and detectable, such as by physical seat. The secure 

60 portion of the board includes means for deriving a second value from the validation word of the first memory 60 
means of the inverse function. The secure portion also includes means for comparing the first and second 
values, and means for verifying the integrity of the second memory. The verification means activates the 
gaming system to the user reponsive play mode responsive to a comparison result of equality, or activates 
the gaming system to the user nonresponsive (alarm) mode responsive to a comparison result of inequality. 

65 The relationship for deriving the first value, the nonpublic relationship, and the inverse relationship of the 55 
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non-public relationship, are such that interrelating or cross deriving one to another is very complex and an 
extremely difficult and time consuming task, in a preferred embodiment, the encryption function is secret 
and the inverse function is public. 
A better understanding of the invention may be had from the following detailed examples, the detailed 
5 description being taken in conjunction with the accompanying drawings in which: 5 
Figure / is a perspective view of a gaming system such as a video slot gambling machine, illustrating one 
apparatus which can utilize the present invention; 

Figure 2 IS a top view showing one embodiment of a circuit board as contained in the gaming system of 
Figure 1 having a secure portion and a nonsecure portion; 
10 F/^£/re 3 is a flow chart illustrating one embodiment of the encryption method utilized in accordance with -jq 
one embodiment of the present invention; 

Figure 4 is a flow chart of the decryption/test method as utilized in accordance with one embodiment of the 
present invention; and 
Figure 5A-D are com puter program listings for one embodiment of the present inention. 
15 Referring now to Figure 1, a gaming system is shown illustrative of one embodiment of the present 15 
invention. A housing 100 is provided which contains the necessary human player control interfaces as well 
as electronic circuitry and mechanical circuitry. Human player control inputs are provided, such as push 
buttons 110 and control handle 120. A viewing area, 130 such as video screen is provided on the front of the 
cabinet housing 100 for player viewing of the gaming machine response to player inputs. Coin shoots 140 
20 are provided for accepting player coins and returning bent coins. The number of credits which the player has 20 
as well as the active game display are provided on the visual display means 1 30. For example, the gaming 
system of Figure 1 can be a slot machine gambling system having 3, 4, or any number of reels, or may 
alternatively be any other type of gaming or gambling system. Where applicable, a pay out shoot 145 may be 
provided for outputting coins to winning players. 
25 The housing 100 also contains an electronic circuit board 200, as shown in Figure 2, which provides the 25 
control and game electronic circuitry necessary to create the desired gambling system in conjunction with 
the video display 1 30 and user interface controls 1 1 0 and 120. Additionally, the housing 1 00 contains 
necessary power supplies, limit switches, etc. necessary to implement the remainder of the desired gaming 
system, 

30 Referring to Figure 2, the circuit board 200 as discussed with reference to Figure 1 is shown in block 30 
diagram form. The circuit board 200 may be comprised of a single circuit board or of a plurality of circuit 
boards with appropriate interconnections provided. The circuit board 200 is comprised of two functionally 
separate units, a sealed secured portion 21 0 and a nonsealed, nonsecure circuit portion 250. The sealed 
circuit board portion 210, as illustrated, contains a microprocessor 220, a read only memory (such as a ROM, 

35 PROM, or EPROM), and miscellaneous electronic and electromechanical circuitry 240. The sealed portion of 35 
the circuit board 210 represents the sealed portion of the gaming system in a physical sealing manner which 
would comply with a particular State Gaming Commission's requirements. 

The nonsealed portion of the circuit board, 250, contains an interconnection socket 260 for a memory 
device, (e.g. for a RAM, ROM, PROM, or EPROM). When the socket 260 provides interconnection for a 

40 read-write memory, RAM or EPROM, the data contents of the read-write memory can be downloaded into 40 
; the read-write memory. For example, a control program can be down-loaded from a remote site into the 
read-write memory of a local gambling system via an interface port 270 (Figure 2) of the local gambling 
system and the downloaded program verified by the secure portion of the circuit board in accordance with 
the teachings of the present invention. Multiple gambling systems can be configured to meet crowd 

45 selection patterns by specifying control programs either locally or remotely for each system. The systems 45 
can also be selectively forced inoperative by downloading appropriate control programs. This portion of the 
circuit board is not physically sealed, and thus the memory inserted into the ROM socket 260 can easily be 
changed or interchanged . While this is desirable from the view point of minimizing spare parts stock piling 
and maximizing manufacturing flexibility, the nonsealed socket does pose security risks and problems. 

50 However, in accordance with the present invention, cryptographic techniques are utilized to verify the 50 
integrity of the nonsecure portion of the circuit board, 250, via means of cryptographic processing by the 
secure portion of the circuit board, 21 0. The microprocessor 220 may be of any type, with its selection being 
made based upon desired operating speed, instruction set capabilities, and cost considerations. In addition, 
the microprocessor 220 may be comprised of a plurality of circuits including a general purpose 

55 microprocessor tof a 4, 8, 16, 32, etc. bits register length), in conjunction with special purpose peripheral 55 
processors and interface chips, such as number crunchers, fast Fourier processors, fast multipliers, etc. 

Referring to Figures 3 and 4, the methodology utilized to accomplish the invention of the illustrated 
embodiments can be more readily understood by reference to the encryption (Figure 3) and decryption 
(Figure 4) flow charts. 

60 Referring to Figure 3, the encryption process utilized for creating a verifiably secure memory for insertion qq 
into the nonsealed socket 260 (of Figure 2) is illustrated in flow chartform. The procedure starts at step 300. 
Proceeding at step 310 the last N bytes of the nonsecure memory are designated as a validation word W and 
reserved from the remaining contents of the nonsecure memory which is designed as the vector R. A control 
program which has been developed is loaded into the encryption systems memory and designated as the 

65 contents of the nonsealed and nonsecure memory (the vector R). The validation v/ord W is as yet undefined, 55 
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but will represent the encrypted key to insure the integrity of the rennainder of the contents of the mennory. 
Proceeding to step 320 an integer value F(R) is connputed fronn the vector R by means of a one way public 
function F. Fisa one way function mapping R into an integer whose magnitude is comparabieto that of one 
element of R. F need not be one to one, but should be such that changing R while leaving F(R) unchanged is a 
5 difficult task. The function Fis a public function in that it is also utilized in the encryption process and may be 5 
discovered or known by members of the public. 

Proceeding to step 330, a validation word W is computed from the value F(R) by means of a secret function 
D which maps words into words with an inverse function E which is a public encryption function. Thus, W = 
D(F(R)), and E(D) = 1 . Thus, when the function E is utilized in the encryption process, E (W) should equal F(R) 
only when the contents of the memory (the vector R and the validation word W) has not been tampered with, lo 
Thus, the integrity of the contents of the nonsealed nonsecure memory can be verified. 

Proceeding to step 340, the validation word W is placed in the memory locations which had been set aside 
as the last N bytes of the nonsealed memory. At this point the encryption proces has ended as evidenced at 
step 350. The contents of the nonsealed memory (vector R) plus the validation word (appropriately located in 

^5 the last N bytes) can be committed to the nonsecure and nonsealed memory (e.g. ROM, EPROM, RAM). 15 
For fu rther details on one way mapping functions, and public key cyrptography concepts, reference is 
made to the literature in general, such as "A Method for Obtaining Digital Signatures and Public Key 
Cryptocism Systems", by R.L. Rivest, et al., as published in the February, 1978, Volume 21, Number 2 issue of 
the Communications of the ACM r at pages 120-126, hereby incorporated herein by reference. A second 

20 reference, 'The Mathematics of Public Key Cryptography" by Martin E. Heliman, published in Scientific 20 
American, pages 146-157, 19, deals generally with the mathematics involved in public key cryptography, and 
is hereby incorporated herein by reference. Both of the aforementioned references deal with the general 
problem of secure electronics communication system, either for message transfer, or for funds transfer. The 
references address themselves to techniques to prevent tampering with new electronic communication 

25 systems and fund transfer systems and means to protect the vast quantities of private information such as 25 
credit records and medical history stored in computer data banks. Encryption and decryp- tion are utilized for 
transforming information so that it is unintelligible and therefore useless to those who are not meant to have 
access to it. Secondly, cryptographic techniques are utilized to insure that messages sent have not been 
tampered with, of critical concern in electronic funds transfer. 

30 ' Referring to Figure 4, the decryption process is illustrated in flow chart form, illustrating one embodiment 30 
of the present invention. The process flow starts when the gambling system of Figure 1 is powered up, at 
step 400. The process proceeds to step 41 0 where the system is set to the test mode, wherein the system is 
nonresponsive to players control inputs. The contents of the nonsealed portion of the circuit board are 
examined by the secure sealed portion of the circuit board, by defining the last N bytes of the nonsealed 

35 memory contents as the validation word W, and defining the remaining nonsealed memory contents as a 35 
vector R, whose elements are the individual words of the nonsealed memory. 

Proceeding, as illustrated at step 430, the integer value F{R) is computed for the nonsealed memory 
contents represented as the vector R by means of the public function F. Next, an integer value E(W) is 
computed from the validation word W based upon the pu blic encryption function E. It will be recalled that the 

40 function E is the inverse of the function D. Thus, E(W) = E(D(F(R))) = F(R) only when the contents of the 40 
nonsealed memory have not been tampered with. 

The decryption process proceeds as illustrated at step 450, where the computed value F(R) is compared to 
the computed value E(W). If F{R) = E(W),then the integrity of the nonsealed memory has been positively 
verified^ and the gaming system flow proceeds as illustrated at step 480. The gaming system is set to a 

45 player responsive operable mode, wherein the coin chute and user controls are activated and the gaming 45 
system becomes playable, as illustrated at step 490. The control program contained in the nonsealed 
memory is executed by the processor in the sealed portion of the circuit board, 210, and the gaming system 
operation proceeds under supervision of the control program. At this point, the decryption and integrity 
verification procedure has been completed, as illustrated at step 500. 

5Q Referring back to decision block 450, where the result of the comparison of F(R) and E(W) results in a 50 
determination of inequality, the procedureal flow continues as illustrated at step 460. The gaming system of 
Figure 1 is set to a player nonresponsive alarm mode. The user controls become inoperative, and the system 
proceeds to execute an alarm control program, as preferably stored in the secure sealed ROM illustrated at 
step 470. At this point the machine is disabled, and the operator is informed of the error condition. The 

5g tainted nonsealed memory device is removed from the nonsealed socket and the operator can choose 55 
between shutting the system down, ortrying an alternte non-sealed memory integrated circuit. Where the 
system is shut down, the procedural flow is ended, as illustrated at block 500. Where a new integrated circuit 
is placed in the ROM socket 460, the decryption procedure repeats starting again at step 400 with power up. 
In either event, the tainted memory chip should be turned over to authorities for evaluation as to tampering 

gQ or simply system or manufacturing error. 60 
Thus, in accordance with the discussion of the illustrated embodiment, herein, the ROM 230 in the sealed 
portion of the circuit board, 210, contains a verification program to monitor the security of the nonsealed 
portion of the circuit board 250 containing the plugged in nonsealed memory 260. The function F is a 
plublicly available function such that the signature F(R) provides a publicly available signature of the 
nonsealed memory contents less the validation check word W, while the encryption function E is publicly 65 
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available to provide for a publicly available encryption key check word E(W). By computing the validation 
check word W using a secret decryption key, function D, which is the inverse of the public encryption 
function E, the integrity of the entire contents of the nonseaied memory (both the validation word Wand the 
remaining contents) can be protected and detected in accordance with the present invention's teachings. 
5 An exarhple may be illustrative. Presume the nonseaied memory to be protected is an EPROM having a 5 
capacity of 2048 bytes. The last 8 bytes are set aside as the validation word W, and the remainder is 
partitioned into 408 five byte words {Do, Di ... D407I. Define 408 prespecified integers (Pi, P2, ... P407) and an 
additional prespecified integer P4oa. Additionally, a large composite integer XNBase is prespecified. F(R) and 
E(W) can then be computed as follows: 

10 " 10 

i - 407 

F(R) =S WiP'(modulo XNBase). 
i = o 

15 15 ' 

E(Wj - (modulo XNBase). 

The validation check procedure can be modified slightly such that if F{R) plus E(W) (modulo XNBase) equal 

20 to 0 then the integrity of the EPROIVI is questioned and the system goes to the alarm mode. This example in 20 
its modified format has been implemented with a BASIC language program and has been successfully tested 
on an EPROM from an electronic slot machine. The BASIC language program and EPROM object code 
hexdump listing are illustrated in Figures 5a-d. While BASIC language was utilized in the illustrated program 
of Figure 5, any computer programming language could be utilized with an appropriate system, in the 

25 illustrated system of Figures 1-5, all arithmetic operations were exact modulo (XNBase), double precision 25 
numbers exact to 16 digits. However, other cryptographic mathematical techniques could be utilized equally 
well, and implemented in accordance with the teachings of the present invention. 

It will be understood by those skilled in the art that other functional and operative relationships between 
the data and validation information can be used consistent with the teachings of the present invention. 

3Q Furthermore, in performing the verification function, operative relationships in addition to or instead of 30 
comparison can be used consistent with the teachings of the present invention. 

While there have been described above various embodiments of system and methods for guaranteeing 
the integrity of the control program of a gambling machine having sealed and nonseaied portions, for the 
purpose of illustrating the manner in which the invention may be used to advantage, it will be appreciated 

35 that the invention is not limited thereto. Accordingly, any modification, variation, or equivalent arrangement 35 
within the scope of the accompanying claims should be considered to be within the scope of the invention. 

CLAIMS 

4Q 1 . A system for selectively operating in one of a plurality of modes responsive to a determined system 40 
integrity comprising: 

(a) a nonsecure portion of the system having data and validation information in a portion therein, 

(b) a secure portion of the system comprised of: 

(1) means for deriving a first value from the data according to a first relationship; 
45 (2) means for deriving a second value from said validation information by means of a second 45 

relationship, 

(3) means for operatively relating said first and second values to determine system integrity, 

(4) means for activating said system to a selected operational mode responsive to said means for 
operatively relating, 

50 2. The system as in Claim 1 further characterized in that said nonsecure portion comprises a memory. 50^ 

3, The system as in Claim 1 wherein the integrity of the nonsecure portion is cryptographically verifiable, 
and the integrity of the secure portion is noncryptographically verifiable. 

4. The system as in Claim 1 further characterized in that said validation information is derived from said 
data according to first and third relationships. 

55 5. The system as in Claim 4 wherein said second relationship is the inverse of the third relationship. 55 

6. The system as in Claim 1 further characterized In that said means for operatively relating provides bad 
and good system integrity outputs indicative of the determined system integrity. 

7. The system as in Claim 6 wherein said means for activating said system activates said system to a first 
operational mode responsive to good system integrity output and activates said system to a second 

QQ operational mode to a bad system integrity output. 60 

8. The system as in Claim 1 further characterized in that said system is activated to a first operational 
mode responsive to a determination of good system integrity and said system is activated to a second 
operational mode responsive to a determination of bad system integrity. 

9. The system as in Claim 7 or 8 further characterized in that said first operational mode is a normal 

gg operational mode, and said second operational mode is an alarm mode. 65 
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10. The system as in Claim 4 or 5 wherein said first and second relationships are public and said third 
relationship Is secret. 

1 1 . The system as in Claim 4 or 5 wherein said first, second and third relationships arq one way functions. 

1 2. The system as in Claim 1 wherein said first relationship is further characterized in that changing any 

5 of the data changes the first value. 5 

1 3. They system as in Claim 1 further characterized as a gaming system. 

1 4. The system as in Claims 1 or 2 or 3 or 4 or 5 or 6 or 7 or 8 or 1 2 further characterized as a gaming 
system. 

1 5. The system as in Claim 10 further characterized as a gaming system. 

10 16. The system as in Claim 11 further characterized as a gaming system. 10 
1 7. The system as in Claim 9 further characterized as a gaming system. 

1 a. The system as in Claim 17 wherein said noraml operation mode is a player-responsive mod^. 

1 9. The system as in Claim 13 further characterized in that said secure portion is physically sealed. 

20. A system as in Claim 1 or 13 further characterized in that said data and validation information are 

15 loaded into said nonsecure portion from an apparatus remotely located relative to the system. 15 

21 . The system as in Claim 1 or 1 3 wherein said nonsecure portion Includes a memory, and said secure 
portion includes a processor and a memory. 

22. The system as in Claim 1 or 13 further comprising: 

interface means for communicating with a device external to the system, 
20 means for loading the nonsecure portion with received communications responsive to the interface 20 
means. 

23. The system as in Claim 22 wherein said received communications is further characterized as said 
data and validation information. 

24. The system as in Claim 22 further comprising: 

25 means for communicating the determined system integrity to a device external to the system. 25 

25. The system as in Claim 1 or 13 wherein said secure portion of the system is remotely located relative 
to said nonsecure portion. 

26. The system as in Claim 1 or 1 3 wherein said secure portion comprises a processor and a memory, 
wherein said processor executes instructions from said secure memory to derive said first and second 

30 values. 30 

27. The system as in Claim 8 further characterized in that said first mode is a player responsive mode, 

and said second mode is a player nonresponsive mode. 

28. The method as in Claim 27 wherein said second mode activates an alarm. 

29. A system for insuring the integrity of a remotely located downloaded memory comprising; 

35 (a) a controller including encryption circuitry for deriving validation information from data by means of a 35 
first relationship and a second relationship having an inverse, 

(b) a system, remotely located relative to said controller, including a memory, 

(c) means for communicating data and validation information from said controilerto said remotely 
located system for storage in said memory, 

40 id) verification means comprised of: 40 

(1 ) means for deriving a first value from the data contents of the memory by said first relationship; 

(2) means for deriving a second value from said validation information by said inverse relationship; 

(3) means for operatively relating said first and second values for providing an output indicative of 
system integerity, and 

45 (4) means for manifesting an action responsive to said system integrity output. 45 

30. The system as in Claim 29 wherein said verification means is remotely located relative to said 
controller. 

31 . The system as in Claim 30 further characterized in that said first relationship and inverse second 
relationship are public and said second relationship is secret. 

50 32. The system as in Claim 30 wherein said remotely located system is a gaming system. 50 

33. The system as in Claim 30 wherein said first, second and inverse relationships are one- way mapping 
functions. 

34. The system as in claim 30 wherein said action is further characterized as activating said system to a 
normal operable mode responsive to an output of good system integrity, and activating said system to an 

55 alarm mode responsive to an output of bad system integrity. 55 

35. The system as in Claim 30 wherein said remotely located system is further comprised of data 
processing means. 

36. The system as in Claim 30 wherein said controller is operativeiy coupled to selectively communicate 
with a plurality of remotely located systems. 

60 37. The system as in Claim 36 further characterized in that at least one of said remotely located systems 60 
is a gaming system. 

38. The system as in Claim 37 wherein each of said remotely located systems is operatively configured 
responsive to communications from said controilerto the respective remotely located system. 

39. A gaming system comprising: 

55 (a) a circuit board; 65 
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(b) a nonsecure portion of the circuit board, the integrity of which is cryptograph icaiiy detectable, having 
a nnennory having data and validation information stored therein, wherein the validation information is 
derived from the data information according to a public first relationship and a secret second relationship 
having a public Inverse relationship; 

5 (c) a secure portion of the circuit board having processing electronics mounted thereon, the integrity of 5 
the secure portion being detectable, 
wherein said secure portion of the circuit board is further comprised of: 
(1) means for deriving a first value from the data omfpr, atopm according to the public first 
relationship, 

10 <2) meansfor deriving a second value from said validation word by means of said public inverse 10 
relationship, 

(3) means for operating on said first and second values to provide an integrity signal, 

(4) means for activating said system to a first mode responsive to a first integrity signal indicative of 
good system integrity, and 

15 (5) meansforactivating said system to a second mode responsive to a second integrity signal 15 ' 

indicative of bad system integrity. 

40. The system as in Claim 39 wherein said secure portion is further comprised of a processor and a 
second memory. 

41 . The system as in Ciaim 39 wherein said first, second and inverse second relationships are one-way 

20 functions. 20 

42. A system as in Ciaim 39: 

wherein said first relationship has the characteristic that changing the contents of said memory changes 
said first value. 

43. The system of Claim 39: 

25 wherein said second relationship Is a one-way trap-door function. 25 

44. A gaming system comprising : 

(a) a cabinet having a display area and a usercontroU 
{b) a circuit board mounted within the cabinet; 

(c) a nonsecure portion of the circuit board, the integrity of which is cryptographically detectable, having 

30 a memory having data and validation information stored therein, wherein the validation infomation is 30 
derived, by means of a second relationship having an inverse relationship, from a first value derived from 
and changing according to a first relationship responsive to the data contents; 

(d) a secure portion of the circuit board having verlfiabiy good integrity comprising : 

(1 ) means for deriving a second value from the data contents of the first memory according to the first 

35 relationship, 35 

(2) means for deriving a third value from said validation information by means of said inverse 
relationship, 

(3) means for providing an integrity output responsive to operting on said second and third values, 

(4) means for activating said system to a first mode responsive to a first Integrity output, and 

40 (5) means for activating said system to a second mode responsive to a second Integrity output. 40 

45. The system as in Ciaim 44 wherein said first integrity output is indicative of good system integrity, 
and said second integrity output is Indicative of bad system integrity. 

46. The system as in Claim 45 wherein said first mode is further characterized as activating said system 
to a user control responsive system. 

45 47. The system as in Claim 45 or 46 wherein said second mode is further characterized as activating an 45 
alarm. 

48. A gaming system operable in a player responsive mode and an alarm mode, comprising : = 
a first memory having data and validation information contents therein, wherein said validation 

information is operatively associated with the remaining contents of the nonsecure memor/ 
50 a secure memory; 50^ 
means for vatidating the integrity of the first memory comprising: 

means for executing Instructions from the secure memory so as to derive a first value operatively 
associated with the data contents of the first memory; 

means for executing instructions from the secu re memory so as to derive a second value operatively 
55 associated with the validation information; 55 

means for providing a good/faulty system integrity result output responsive to operatively relating said 
first and second values; 

means for activating said gaming system to said alarm mode responsive to a result output of faulty system 
integrity; and 

60 meansforactivating said gaming system to said player-responsive mode responsive to a result output of 60 
good system integrity, 

49. The system as in Claim 48: 

wherein said first relationship has the characteristic that changing the contents of said first memory 
changes said first value. 

gg 50. A gaming system as in Claim 48 or 49: 65 
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wherein said validation information is derived from said first value. 

51. Tlie system as in Claim 48 wherein said first, second and inverse second relationships are one-way 
functions. 

52. A system for insuring the integrity of information loaded into the system, comprising: 

5 (a) a memory having initially undefined contents; 5 

(b) means for loading data and validation information into the contents of the memory wherein said data 
is related to said validation information according to a public first and a secret second relationship; 

(c) means for verifying the integrity of the loaded contents comprising : 

(1 ) means for deriving a first value according to the first relationship responsive to the data contents of 

10 the memory, . . ^0 

(2) means for deriving a second value according to a public inverse of the second relationship 

responsive to the validation information, 

(3) means for operatively relating the first and second values to provide an integrity output indicative 
of good and bad integrity of the memory contents, 

1 5 (d) means for controlling the operable status of the system further comprising : 1 5 

(1 ) means for activating said system to a normal operational mode responsive to the good integrity 
output, and 

(2) means for activating said system to an alarm mode responsive to said bad integrity output. 

53. The system as in Claim 52: ' 

20 wherein said system is a gaming system. 20 

54. The system as in Claim 53 further comprising : 

an interface port for communicating with an external device; 

means responsive to said interface port for loading said memory with the communications received from 
said external device. 

25 55. The system as in Claim 53 or 54 wherein said memory is located in a nonsecure portion of the second 25 
system, and said means for verifying the integrity and means for controlling the operable status are located 
in a secure portion of the second system. 

56. The system as in Claim 52 or 53 having user responsive input means, wherein said normal 
operational mode is further characterized as being responsive to said user responsive input means. 
30 57. A method of controlling the operable mode of a system having a memory with data and validation 30 
information contents, comprising the steps of: 
deriving a first value from the data contents according to a first relationship, 
deriving a second value from the validation information according to a second relationship; 
operatively relating said first and second values so as to determine system integrity, 
35 activating the system to a selected operative mode responsive to the determined system integrity. 35 

58. The method as in Claim 57 further characterized in that said system is a gaming system. 

59. The method as in Claim 57 further characterized in that said validation information is derived from 
said data content according to the first relationship and an inverse to the second relationship. 

60. The method as in Claim 59 further comprising the steps of: 

40 activating the system to a normal operative mode responsive to a determination of good system integrity, 40 
and 

activating said system to an alarm operative mode responsive to a determination of bad system rntegrity. 

61 . The method as in Claim 57 or 58 further comprising the steps of: 
making the first and second relationships public; 

45 maintaining the inverse to the second relationship in secrecy. 45 

62. The method as in Claim 57 or 58 further comprising the steps of: 

deriving said first value by means of a function which exhibits the characteristic that changing any of the 
contents of the nonsecure memory changes the first value. 

63. The method as in Claim 62 wherein said validation information is derived from said first value, further 
50 comprising the steps of: . 

determining said second value from said validation information by means of an inverse derivation to that 
by which the validation information is obtained from the first value. 

64. A method for creating a memory having verifiable secure data contents comprising the steps of: 
deriving a first value from the data contents of the memory by a first relationship wherein changing the 

55 contents ofthe memory changes the first value; 55 
deriving a validation value from said first value by a second relationship having an inverse 
relationship;and 
storing and validation value in said memory contents. 

65. A method of verifying the integrity of a memory having data content and validation value content 

60 related to said data content by first and second relationships, comprising the steps of: 60 
deriving a first value from the data content of the memory by the first relationship; 
deriving a second value from said validation value by an inverse to said second relationship; 
providing an integrity output indicative of good and bad system integrity responsive to operatively 
relating the first value and the second value; 

55 providing a first activation signal responsvie to said integrity output indicating good system integrity and 65 



8 GB2 121 569 A 



8 



providing a second activation signal responsive to said integrity output-indicating bad system integrity. 

66. Tlie method of Claim 64 or 65 wherein said first relationship and inverse second relationship are 
public and said second relationship is secret. 

68. In a system, having a sealed secure circuit portion comprising a processor and a first memory, said 

5 system also having an insecure circuit portion comprising a second memory^ a method of insuring the 5 
integrity of the insecure portion of the system comprising the steps of; 

deriving a first value from the data content of the second memory by a first relationship wherein changing 
the contents of the second memory changes the first value; 

deriving a validation value from said first value by a second relationship having an inverse relationship 

10 10 
storing said validation value at a predefined location in said second memory. 

69. The method as in Claim 68 further comprising the steps of: 

(a) verifying the Integrity of the second memory by means of said secure portion, further comprising the 
steps of: 

5 {1 ) deriving a third value from the contents of the second memory by said first relationship; ^ 5 

(2) deriving a fourth value from said validation value by said inverse relationship; and 

(3) operatively relating the third value to the fourth value and providing a relational output; and 

(b) controlling the operable status of the system further comprising the steps of: 

(1) activating said gaming system to a normal-responsive mode responsive to said relational output 

2Q indicating good system integrity, and 20 

(2) activating the system to an alarm mode responsive to said relational output indicating bad system 
integrity. 

70. The method of Claim 68 or 69 further characterized in that said first and inverse second relationships 
are public and said second relationship is secret 

25 71. The method of Claim 70 further characterized in that said second memory is nonvolatile, 25 

72. The method of Claim 68 or 69 further characterized in that system is a gaming system. 

73. The method of Claim 69 further characterized in that said normal-responsive mode is a player 
responsive mode, and said alarm mode is a player nonresponsive mode. 

74. A method of Claim 71 wherein said step of operatively relating further comprises the steps of: 

3Q comparing the magnitude of said first and second values, and indicating said good system integrity by a ^0 
relational result of equality, and indicating said bad system integrity by a relational result of inequality. 

75. The method of Claim 71 further characterized in that said first, seqond and inverse second 
relationships are one-way mapping functions. 

76. in a gaming system, having a player responsive mode and a player nonresponsive alarm mode, said 

35 system comprising a nonsecure memory having data and validation information, said validation information 35 
being operatively related to the data, said sytem also having a secure memory, a method for selectively 
activating the system to a predetermined mode responsive to validating the integrity of the nonsecure 
memory, comprising the steps of: 

(a) executing instructions from the secure memory so as to derive a first value representative of the 

40 contentsof the nonsecure memory; 40 

(b) executing instructions from the secure memory so as to derive a second value representative of the 
validation word; 

(c) operatively relating the first and second values to provide an indication of system integrity; 

(d) activating said gaming system to said player nonresponsive alarm mode responsive to an indication 

45 of improper system integrity; 45 

(e) activating said gaming system to said player-responsive mode responsive to an indication of good 
system integrity. * 

77. The method as in Claim 76 further comprising the steps of: 

deriving said first value by means of a function which exhibits the characteristic that changing any of the 
5Q contents of the nonsecure memory changes the first value. 50^ 

78. The method as in Claim 77: 

wherein said validation word is derived from said first value, further comprising the steps of: 
determining said second value from said validation word by means of an inverse derivation to that by 
which the validation word is obtained from the first value. 

79. The method as in Claim 76 wherein said first value is derived by 55 
operatively relating said data to a first functional mapping; and 

further characterized in that said validation information is operatively related to said first value according 
to a second functional mapping, 
wherein said second value is derived by 

operatively relating said validation information to an inverse of said second functional mapping qq 

80. The method of Claim 57 or 58 or 76 further comprising the steps of: 

communicating sard data and associated validation information to the system from a source external to 
the system; 

storing said communicated data and associated validation information in said memory, 
gg 81 . A method for controlling the operative mode of a system, having local and remote devices 55 
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responsive to determined integrity of communiGated information comprising the steps of: 

operating upon data information at the remote device according to first and second relationships to derive 
validation information, 

communicating said data and validation information from the remote device to the local device, 
5 operating upon said data information at the local device, according to said first relationship, to derive a 5 
first value; 

operating upon said validation information at said local device, according to an inverse of said second 
relationship, to derive a second value; 

controlling the operative mode of the system responsive to operatively relating said first and second 
10 values. 10 

82. The method as in Claim 81 further characterized in that there are a plurality of local devices, wherein 
the step of controlling the operative mode of the system further comprises the steps of: 

selectively controlling the operative mode of each of said local devices responsive to the operative 
relationships for each respective first and second values. 
•)5 83. The method as in Claim 81 further comprising the steps of: 15 

deriving said first value by means of a function which exhibits the characteristic that changing any of the 
contents of the nonsecure memory changes the first value. 

84. The method as in Claim 81 wherein said validation information is derived from said first value, further 
comprising the steps of: 

2Q determiningsaidsecond value from said validation information by means of an inverse derivation to that 20 
by which the validation word is obtained from the first value. 

85. The method as in Claim 81 further characterized in that said first and inverse second functional 
relationships are public, and said second functional relationship is secret. 

86. The method as in Claim 81 or 85 further characterized in that said first, second and inverse second 

25 functional relationships are one-way functions. 25 

87. A system for selectively operating in one of a plurality of modes responsive to a determined system 
integrity substantially as herein described with reference to the accompanying drawings. 

88. A system for insuring the integrity of a remotely located downloaded memory substantially as herein 
described with reference to the accompanying drawings. 

30 89. A gaming system substantially as herein described with reference to the accompanying drawings. 30 

90. A gaming system operable in a player responsive mode and an alarm mode substantially as herein 
described with reference to the accompanying drawings. 

91. A system for insuring the integrity of information loaded into the system substantially as herein 
described with reference to the accompanying drawings. 

35 92. A method of controlling the operable mode of a system having a memory with data and validation 35 
information contents substantially as herein described with reference to the accompanying drawings. 

93. A method for creating a memory having verifiable secure data contents substantially as herein 
described with reference to the accompanying drawings. 

94. A method for verifying the integrity of a memory having data content and validaton value content 

40 related to said data content by first and second relationships substantially as herein described with reference 40 
to the accompanying drawings. 

95. In a system, having a sealed secure circuit portion comprising a processor and a first memory, said 
system also having an insecure circuit portion comprising a second memory, a method of insuring the 
integrity of the insecure portion of the system substantially as herein described with reference to the 

45 accompanying drawings. 45 

96. In a gaming system, having a player responsive mode and a player nonresponsive alarm mode, said 
system comprising a nonsecure memory having data and validation information, said validation information 
being operatively related to the data, said system also having a secure memory, a method for selectively 
activating the system to a predetermined mode responsive to validating the integrity of the nonsecure 

50 memory, substantially as herein described with reference to the accompanying drawings. 50 

97. A method for controlling the operative mode of a system, having local and remote devices 
responsive to determined integrity of communicated information substantially as herein described with 
reference to the accompanying drawings. 
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